Partition Refinement for Bisimilarity in CCP* 



t 



Andres Aristizabal 

CNRS/DGA 

andresaristi@ 
lix.polytechnique.fr 



Filippo Bonchi 

CNRS 

filippo.bonchi@ens- 
lyon.fr 

Frank D. Valencia f 

CNRS 

frank.valencia@ 
lix.polytechnique.fr 



Luis Fernando Pino f 

INRIA/DGA 

luis.pino@ 
lix.polytechnique.fr 



ABSTRACT 

Saraswat's concurrent constraint programming (ccp) is a mature 
formalism for modeling processes (or programs) that interact by 
telling and asking constraints in a global medium, called the store. 
Bisimilarity is a standard behavioural equivalence in concurrency 
theory, but a well-behaved notion of bisimilarity for ccp has been 
proposed only recently. When the state space of a system is fi- 
nite, the ordinary notion of bisimilarity can be computed via the 
well-known partition refinement algorithm, but unfortunately, this 
algorithm does not work for ccp bisimilarity. 

In this paper, we propose a variation of the partition refinement 
algorithm for verifying ccp bisimilarity. To the best of our knowl- 
edge this is the first work providing for the automatic verification 
of program equivalence for ccp. 

Keywords 

Concurrent Constraint Programming, Bisimilarity, Partition Refine- 
ment. 

1. INTRODUCTION 

Bisimilarity is the main representative of the so called behavioral 
equivalences, i.e., equivalence relations that determine when two 
processes (e.g., the specification and the implementation) behave in 
the same way. Many efficient algorithms and tools for bisimilarity 
checking have been developed [15 8 , 9|. Among these, the parti- 
tion refinement algorithm | 10 1 is the best known: first it generates 
the state space of a labeled transition system (LTS), i.e., the set of 
states reachable through the transitions; then, it creates a partition 
equating all states and afterwards, iteratively, refines these parti- 
tions by splitting non equivalent states. At the end, the resulting 
partition equates all and only bisimilar states. 

Concurrent Constraint Programming (ccp) |13| is a formalism 
that combines the traditional algebraic and operational view of pro- 
cess calculi with a declarative one based upon first-order logic. In 
ccp, processes (agents or programs) interact by adding (or telling) 
and asking information (namely, constraints) in a medium {store). 
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Problem. The ccp formalism has been widely investigated and 
tested in terms of theoretical studies and the implementation of 
several ccp programming languages. From the applied comput- 
ing point of view, however, ccp lacks algorithms and tools to auto- 
matically verify program equivalence. In this paper, we will give 
the first step towards automatic verification of ccp program equiv- 
alences by providing an algorithm to automatically verify a ccp 
process (or program) equivalence from the literature. Namely, sat- 
urated barbed bisimilarity. 

Saturated barbed bisimilarity (~ s b) for ccp was introduced in 1 1|. 
Two configurations are equivalent according to ~ s (, if (i) they have 
the same store, (ii) their transitions go into equivalent states and 
(iii) they are still equivalent when adding an arbitrary constraint to 
the store. In | jj, a weak variant of ~ S d is shown to be, fully abstract 
w.r.t. the standard observational equivalence of 1141 . 

Unfortunately, the standard partition refinement algorithm does 
not work for ~ S 6 because condition (iii) requires to check all pos- 
sible constraints that might be added to the store. In this paper we 
introduce a modified partition refinement algorithm for 

We closely follow the approach in | 5 1 that studies the notion of 
saturated bisimilarity from a more general perspective and proposes 
an abstract checking procedure. 

We first define a derivation relation h d amongst the transitions 
of ccp processes: 7 — h 71 \~d 7 — ^> 72 which intuitively means 
that the latter transition is a logical consequence of the former. 

Then we introduce the notion of redundant transition. Intu- 
itively, a transition 7 — h 72 is redundant if there exists another 
transition 7 — ^> 71 that logically implies it, that is 7 — h 71 \~d 
7 — h 72 and 72 ~ s t, 73. Now, if we consider the LTS having 
only non-redundant transitions, the ordinary notion of bisimilarity 
coincides with Thus, in principle, we could remove all the 
redundant transitions and then check bisimilarity with the standard 
partition refinement algorithm. But how can we decide which tran- 
sitions are redundant, if redundancy itself depends on ~ sil ? 

Our solution consists in computing ~ a j, and redundancy at the 
same time. In the first step, the algorithm considers all the states as 
equivalent and all the transitions (potentially redundant) as redun- 
dant. At any iteration, states are discerned according to (the current 
estimation of) non-redundant transitions and then non-redundant 
transitions are updated according to the new computed partition. 

A distinctive aspect of our algorithm is that in the initial partition, 
we insert not only the reachable states, but also extra ones which 
are needed to check for redundancy. We prove that these additional 
states are finitely many and thus the termination of the algorithm 
is guaranteed whenever the original LTS is finite (as it is the case 



of the standard partition refinement). Unfortunately, the number of 
these states might be exponential wrt the size of the original LTS, 
consequently the worst-case running time is exponential. 

Contributions. We provide an algorithm that allows us to verify 
saturated barbed bisimilarity for ccp. To the best of our knowl- 
edge, this is the first algorithm for the automatic verification of 
a ccp program equivalence. This is done in Sections [3] and [4] by 
building upon the results of |5|. In Section |4~T1 and l4~2l we also 
show the termination and the complexity of the algorithm. We 
have implemented the algorithm in C++ and the code is available 
at http://www.lix.polytechnique.fr/~andresaristi/strong/ 

2. BACKGROUND 

We now introduce the original standard partition refinement 1 10 1 
and concurrent constraint programming (ccp). 

Partition Refinement 

In this section we recall the partition refinement algorithm intro- 
duced in 1101 for checking bisimilarity over the states of a labeled 
transition system (LTS). Recall that an LTS can be intuitively seen 
as a graph where nodes represent states (of computation) and arcs 
represent transitions between states. A transition P -—>■ Q be- 
tween P and Q labelled with a can be typically thought of as an 
evolution from P to Q provided that a condition a is met. 

Let us now introduce some notation. Given a set S, a partition of 
5 is a set of blocks, i.e., subsets of S, that are all disjoint and whose 
union is S. We write {B\} . . . {B n } to denote a partition consist- 
ing of blocks B\, . . . , B n . A partition represents an equivalence 
relation where equivalent elements belong to the same block. We 
write PPQ to mean that P and Q are equivalent in the partition P. 

The partition refinement algorithm (see Alg. [TJ checks the bisim- 
ilarity of a set of initial states IS as follows. First, it computes IS* , 
that is the set of all states that are reachable from IS. Then it cre- 
ates the partition V° where all the elements of 75** belong to the 
same block (i.e., they are all equivalent). After the initialization, it 
iteratively refines the partitions by employing the function F, de- 
fined as follows: for all partitions P, PF(P) Q iff 

• if P P' then exists Q' s.t. Q Q' and P' VQ'. 

The algorithm terminates whenever two consecutive partitions are 
equivalent. In such partition two states belong to the same block iff 
they are bisimilar. 

Note that any iteration splits blocks and never fuses them. For 
this reason if IS* is finite, the algorithm terminates in at most \IS* | 
iterations. 

Proposition 1. If IS* is finite, then the algorithm terminates and 
the resulting partition equates all and only the bisimilar states. 



Algorithm 1 Partition-Refinement (IS) 
Initialization 

1. IS* is the set of all processes reachable from IS, 

2. P° := {IS*}, 

Iteration P n+1 := F(P n ), 

Termination If P n = P n+1 then return P n . 



CCP 

We now recall the concurrent constraint programming process cal- 
culus (ccp) 1131 1141 . In particular its notion of barbed saturated 
bisimilarity (~ s b) ffl . 

Constraint Systems. The ccp model is parametric in a constraint 
system specifying the structure and interdependencies of the infor- 
mation that processes can ask and tell. Following 1 14 , 7 1, we regard 
a constraint system as a complete algebraic lattice structure. 

Definition 1. A constraint system C is a complete algebraic lat- 
tice [Con, Cono,\—,U, true, false) where Con (the set of con- 
straints) is a partially ordered set w.r.t. C, Cono is the subset of 
finite elements of Con, U is the lub operation, and true, false are 
the least and greatest elements of Con, respectively. 

To capture local variables |14| introduces cylindric constraint 
systems. A cylindric constraint system over an infinite set of vari- 
ables V is a constraint system equipped with an operation 3 X for 
each x £ V. Broadly speaking 3 X has the properties of the ex- 
istential quantification of x-e.g., 3 x c C c,3 x 3 y c = 3 y 3 x c and 
3 x (c U 3 x d) — 3 x c U 3 x d. For the sake of space, we do not for- 
mally introduce this notion as it is not crucial to our work-see 1 14 1. 

Given a partial order (C, C), we say that c is strictly smaller than 
d (c C d) if c C d and c ^ d. We say that (C, C) is well-founded if 
there exists no infinite descending chains ■ ■ ■ C c„ C ■ • ■ C ci C 
Co. For a set A C C, we say that an element m £ A is minimal 
in A if for all a £ A, a \£_ m. We shall use min(A) to denote the 
set of all minimal elements of A. Well-founded order and minimal 
elements are related by the following result. 

Lemma 1. Let (C, C) be a well-founded order and A C C. If 
a £ A, then 3m £ min(A) s.t., m C a. 

Remark 1. We shall assume that the constraint system is well- 
founded and, for practical reasons, that its C is decidable. 

We now define the constraint system we use in our examples. 

Example I. Let Var be a set of variables and lu be the set of 
natural numbers. A variable assignment is a function p : Var — > 
ui. We use A to denote the set of all assignments, P(A) to denote 
the powerset of A, the empty set and n the intersection of sets. 
Let us define the following constraint system: The set of constraints 
is P(A). We define c C diff c D d. The constraint false is 0, while 
true is A. Given two constraints c and d, c U d is the intersection 
end. By abusing the notation, we will often use a formula like 
x < n to denote the corresponding constraint, i.e., the set of all 
assignments that map x in a number smaller than n. 

Syntax. Let us presuppose a cylindric constraint system C = 
(Con, Cono, C, U, true, false) over a set of variables Var. The 
ccp processes are given by the following syntax, 

P, Q ::= | tell(c) j ask(c) -> P | P || Q \ P+Q \ 3%P \ p(z) 

where c £ Cono, x £ Var, z £ Var* . 

Intuitively, represents termination, tell(c) adds the constraint 
(or partial information) c to the store. The addition is performed 
regardless the generation of inconsistent information. The process 
ask(c) — > P may execute P if c is entailed from the information 
in the store. The processes P \\ Q and P + Q stand, respectively, 
for the parallel execution and non-deterministic choice of P and 
Q; 3 X is a hiding operator, namely it indicates that in 3%P the 
variable x is local to P and c is some local information {local store) 
possibly containing x. A process p(z) is said to be a procedure call 



Rl (tell(c),d) — >(0.dUc) R2 



c C , 



<ask (c) -> P, d) — ► (P, 



R5 



(P, e U 3. E d> ► (P', e' U 3 m d) 

(3JP, d) — >• {3j'p',dU 3„e') 



R3 



<P,d> — > (P',d'> 



<P || Q,d) — ► <P' || Q,d') 



R4 



(P,d) — > (P',d') 
<P + Q,d) — ^ (P',d'> 



R6 forp(:c) — P 

(p(z),d) ► 7' 



Table 1: Reduction semantics for ccp (the symmetric rules for R3 and R4 are omitted) 



with identifier p and actual parameters z. We presuppose that for 
each procedure call p(z\ . . . z m ) there exists a unique procedure 

definition possibly recursive, of the formp(a;i . . . x m ) d = f P where 
fv{P) C {xi,. . .,x m }. 

Reduction Semantics. The operational semantics is given by 
transitions between configurations. A configuration is a pair {P, 
d) representing a state of a system; d is a constraint representing 
the global store, and P is a process, i.e., a term of the syntax. We 
use Conf with typical elements 7, 7', . • ■ to denote the set of con- 
figurations. The operational model of ccp is given by the transition 
relation — s- C Conf x Conf defined in Tab. [T] Except for R5, 
these standard rules are self-explanatory. We include R5 for com- 
pleteness of the presentation but it is not necessary to understand 
our work in the next section. For the sake of space we refer the 
interested reader to 1 1] for a detailed explanation of the rules. 

Barbed Semantics. The authors in (1| introduced a barbed se- 
mantics for ccp. Barbed equivalences have been introduced in 1111 
for CCS, and become the standard behavioural equivalences for for- 
malisms equipped with unlabeled reduction semantics. Intuitively, 
barbs are basic observations (predicates) on the states of a system. 

In the case of ccp, barbs are taken from the underlying set Cono 
of the constraint system. A configuration 7 = {P, d) is said to 
satisfy the barb c (7 4_ c ) iff c IZ d. 

Definition 2. A barbed bisimulation is a symmetric relation IZ 
on configurations s.t. whenever (71,72) G IZ: 

(i) if 71 ic then 72 \, c , 

(ii) if 71 — v j[ then there exists y' 2 s.t. 72 — > 72 and (7^, 

72) en. 

71 and 72 are barbed bisimilar (71 ~j, 72), if there exists a barbed 
bisimulation IZ s.t. (71, 72) € IZ. 

One can verify that ~b is an equivalence. However, it is not a 
congruence; i.e., it is not preserved under arbitrary contexts (the 
interested reader can check Ex. 7 in ffl). An elegant solution 
to modify bisimilarity for obtaining a congruence consists in sat- 
urated bisimilarity |4] [3] (pioneered by 1121 ). The basic idea is 
simple: saturated bisimulations are closed w.r.t. all the possible 
contexts of the language. In the case of ccp, it is enough to require 
that bisimulations are upward closed as in condition (iii) below. 

Definition 3. A saturated barbed bisimulation is a symmetric 
relation TZ on configurations s.t. whenever (71,72) G IZ with 
71 = (P,d) and 72 = (Q,e): 

(i) if 71 4-c then 72 \, c , 

(ii) if 71 — v 71 then there exists 72 s.t. 72 — > 72 and (7I, 

72) en, 

(iii) for every a G Cono, ({P, d U a), (Q, e U a)) G H. 



71 and 72 are saturated barbed bisimilar (71 ~ s j, 72) if there exists 
a saturated barbed bisimulation n s.t. (71, 72) G n. 

Example 2. Take T = tell(irue), P = ask (x < 7) -> T 
and Q — ask (x < 5) — > T. You can see that (P, true) j^ s b{Q, 
true), since (P,x < 7) — >, while (Q,x < 7)-/->. Consider 
now the configuration (P + Q, true) and observe that {P + Q, 
true) ~ B b(P, true). Indeed, for all constraints e, s.t. x < 7 IZ e, 
both the configurations evolve into (T, e), while for all e s.t. x < 
7 % e, both configurations cannot proceed. Since x < 7 C x < 5, 
the behaviour of Q is somehow absorbed by the behaviour of P. 

Example 3. Since is upward closed, {P + Q, z < 5}~ S (,(P, 
2 < 5) follows immediately by the previous example. Now take 
R = ask {z <5) -> (P + Q) and 5" = ask (z < 7) -)■ P. By 
analogous arguments of the previous example, one can show that 

(R + S, true) ~ sb (S, true) . 

Example 4. Take T = tel% = 1), Q' = ask (x < 5) -> T' 
and P' = ask (2 < 5) -> P + Q'. Observe that {P + Q', 
z < 5) ^ s b(P, z < 5) and that (R 1 + S, true) j^ B b{S, true) , since 
(P + Q', x < 5) and (R' + S, true) can reach a store containing 
the constraint y = 1. 

In (2, a wea£ variant of is introduced and it is shown that it is 
fully abstract w.r.t. the standard observational equivalence of [ 14 1. 
In this paper, we will show an algorithm for checking and we 
leave, as future work, to extend it for the weak semantics. 

Nevertheless, the equivalence ~ s b would seem hard to (automat- 
ically) check because of the upward-closure (namely, the quantifi- 
cation over all possible a G Cono in condition (iii)) of Def . [3] The 
work in [ 1 1 deals with this issue by refining the notion of transition 
by adding to it a label that carries additional information about the 
constraints that cause the reduction. 

Labeled Semantics. As explained in (T), in a transition of the 
form (P, d) —¥ (P', d') the label a represents a minimal infor- 
mation (from the environment) that needs to be added to the store 
d to evolve from (P, d) into (P', d!), i.e., (P, d U a) — ► (P', d'). 
The labeled transition relation — > C Conf x Cono x Conf is 
defined by the rules in Tab. [2] The rule LR2, for example, says that 
(ask (c) — > P, d) can evolve to (P, d U a) if the environment 
provides a minimal constraint a that added to the store d entails c, 
i.e., a G min{a G Cono | c C d U a}. Note that assuming that 
(Con, C) is well-founded (Sec. [2} is necessary to guarantee that a 
exists whenever {a G Cono | c C d U a } is not empty. The other 
rules, except LR4, are easily seen to realize the above intuition. An 
explanation of LR5 is not needed to understand the present work. 
For the sake of space, we refer the reader to [ 1 1 for a more detailed 
explanation of these labeled rules. Fig. Q]illustrates the LTSs of our 
running example. 

Syntactic Bisimilarity. When defining bisimilarity over a LTS, 
barbs are not usually needed because they can be somehow inferred 
from the labels of the transitions. For instance, in CCS, P ^ a iff 



,„,, a e min{a E Con I c C du a } (P. d) (P' . d'} (P,d) (P'd') 

LRl(tell(c),d) ^ (0,dU c) LR2 — LR3- 



<ask (c) -> P, d) (P, d U a) (P || Q, d) <P' || Q, d') (P + Q, d) (P', d') 



LR5- 



(P[z/:r], e[z/a:] U d) 



<P', e' UdUo) 



o:p 



(3 = ' [x/zl P'[x/z], 3* (e' [*/*]) U d U a) 



2 /» (e' ) , z £ fv (P) LRg JP[z/xld)_ 
Ufv(e U d U a) 



' 7 



for : 



(p{z),d) ► 7 



(S) d = f P 



Table 2: Labeled semantics for ccp. (the symmetric rules for LR3 and LR4 are omitted) 



T = te\l(true) P = ask (x < 7) -> T Q = ask (x < 5) ->• T i? = ask (z < 5) ->■ (P + Q) 
X" = tell(y =1) 5 = ask (2 < 7) ->■ P Q' = ask (as < 5) ->■ T' R' = ask (2 < 5) -> (P + Q') 



(R' + S, true) (P + Q',z< 5) - < 5 (T', z < 5 U x < 5) — (0, z < 5 U x < 5 U y = 1) 



{S, true) 



{R + S, true) 



(P, z<7) X -^- (T, z < 7 U x < 7) 



(P + Q,z<5) 



x < 5 



(T, z < 5 U x < 5) 



x < 7 




(0, 2 < 7 U x < 7) 
(0, z < 5 U x < 5} 
(0, 2 < 5 U x < 7) 



Figure 1: The labeled transition systems of the running example (75 = { (R' + S, true) , (S, true), (R + S, true) }). 



P -—>■. However this is not the case of ccp: barbs cannot be re- 
moved from the definition of bisimilarity because they cannot be 
inferred from the transitions. 

Taking into account the barbs, the obvious adaptation of labeled 
bisimilarity for ccp is the following: 

Definition 4. |T) A syntactic bisimulation is a symmetric rela- 
tion 1Z on configurations s.t. whenever (71, 72) € 1Z: 

(i) if 71 4-c then 72 U, 

(ii) if 71 71 then 3"/' 2 s.t. 72 y' 2 and (71,72) £ Tl- 

71 and 72 are syntactically bisimilar, (71 ~s 72) if there exists a 
syntactic bisimulation 1Z s.t. (71, 72) € 1Z. 

Unfortunately as shown in [1| ~s is over-discriminating. As 
an example, consider the configurations {P + Q,z < 5) and {P, 
z < 5), whose LTS is shown in Fig. Q] They are not equivalent 

according to ~s. Indeed (P + Q,z < 5) while (P, z < 

5} 7^1. However they are equivalent according to ~ s( , (Ex. [3j- 

3. IRREDUNDANT BISIMILARITY 

Syntactic bisimilarity is over-discriminating because of some re- 
dundant transitions. For instance, consider the transitions: 

(a) (P + Q, z < 5} '^l (T, z < 5 U x < 7); 

(b) (P + Q, z < 5) 2<| (T, 2 < 5 U x < 5). 
Transition (a) means that for all constraints e s.t. x < 7 C e, 

(c) (P + Q,z < 5 U e) — ► (T, 2 < 5 U e), while transition (b) 
means that the reduction (c) is possible for all e s.t. x < 5 C e. 
Since a; < 7 C x < 5, transition (b) is "redundant", in the sense 
that its meaning is "logically derived" by transition (a). 

The following notion captures the above intuition: 



Definition 5. We say that (P, c) -—> (Pi , c') derives (P, c) — > 

(Pi, c"), written (P, c) -A (Pi,c'> r~ D (P,e) -A (Pi,c">, iff 
there exists e s.t. the following conditions hold: 

(i) 13 = a U e (ii) c" = c' U e (iii) a / j3 

One can verify in the above example that (a) \~d (b). Notice that 
in order to check if (P + Q, 2 < 5)~ S (,(P, 2 < 5), we could first 
remove the redundant transition (b) and then check ~s. 

More generally, a naive approach to compute ~ sb would be to 
first remove all those transitions that can be derived by others, and 
then apply the partition refinement algorithm. However, this ap- 
proach would fail since it would distinguish {R + S, true) and 
(5, true) that, instead, are in ~ s (, (Ex. [3}. Indeed, {R + S, true) 
can perform: 

(e) (R + S, true) (P, z < 7), 

(f) (R + S, true) 2^1 {P + Q,z< 5), 

while (S, true) Note that transition (f) cannot be derived by 
other transitions, since (e) \fo (f). Indeed, P is syntactically dif- 
ferent from P + Q, even if they have the same behaviour when 
inserted in the store 2 < 5, i.e., (P, 2 < 5)^ s b(P + Q, z < 5) 
(Ex. [5). The transition (f) is also "redundant", since its behaviour 
"does not add anything" to the behaviour of (e). 

Definition 6. Let 1Z be a relation and 7 A 71 and 7 A 72 be 
two transitions. We say that the former dominates the latter one in 

a Q 

1Z (written 7—5-71 >-iz 7 — > 72) iff 

(i) 7 ^> 7i I--D 7 A 72 (ii) (72, 72) e ft 
A transition is redundant w.r.t. 7?. if it is dominated in 7?. by another 
transition. Otherwise, it is irredundant. 

Note that the transition 7 A 72 might not be generated by the 
rules in Tab. [2] but simply derived by 7 A 71 through h d ■ For 



P° = {<«' + S, true), (S, true), (Ft + S, true)}, { ( P + Q 1 , z < 5) , ( P + Q , z < 5) , < P, a < 5)}, {(P, a < 7)}, {(T 7 , z < 5 U x < 5) , (T , z < 5 U x < 5 ) , 

(O, z < 5 u x < 5)}, {{T, z < 7 U x < 7), (O, z<7Ux<7)},{(T, z<5Ux<7),(0,z<5Ux<7)},{(0, z<5Ux<BUy = l)} 
P 1 = {(Ft' + S, true), (S, true), (Ft + S, true)}, {(P + Q 1 , z < 5), (P + Q, z < 5), <P, z < 5)}, {<P, z < 7}}, {(J"', z < 5Ux < 5)}, {(T,z < 5Ux < 5)}, 

{<0, z < 5 u x < 5)}, {(T, z < 7 U x < 7)}, {(0, z < 7 u x < 7)}, {(T, z < 5 u x < 7)}, {(O, z < 5 u x < 7) } , { (O, z<5Ux<5Uy=l)} 
P 2 = {(Ft' + S, true), (S, true), (Ft+ S, true)}, {<P + Q' , z < 5)} , {(P + Q, z < 5>, ( P, z < 5)}, {(P, z < 7)}, { (T 1 ' , z < 5 U x < 5> },{(T, z < 5 U x < 5)}, 

{(0,z<5Ux<5)},{(T, z<7Ux<7)},{(0, z<7Ux<7)},{(T, z<5Ux<7)},{(0, z<5Ux<7)},{(0, z<5Ux<5Uu = l)} 
P 3 = {<H' + S, true)}, {(S, true), (H + S, true)}, {(P + Q', z < 5>},{(P + Q,z < 5>, <P, z < 5)},{{P, z < 7>},{{T',z < 5Ux < 5>},{<T, z < 5Ux < 5>}, 

{(0,z<5Ux<5)},{(T, z<7Ux<7>},{<0, z<7Ux<7)},{<T, z<5Ux<7>},{<0,z<5Ux<7)},{<0, z<5Ux<5Uy=l>} 
p4 = -p3 

Figure 2: The partitions computed by CCP-Partition-Ref inement ({(-R' + S, true), (S, true), {R + S, true)}) . 



instance, transition (e) dominates (f) in ~ s f,, because (e) \~d (R + 
S,true) ^1 (P,z < 5} and (P,z < 5)~ sb (P + Q,z < 5). 

Therefore, we could compute ^ a b, by removing all those transi- 
tions that are redundant wrt ^ s t- This, however, would lead us to 
a circular situation: How to decide which transitions are redundant 
when redundancy itself depends on ~ s (,. 

Our solution relies on the following definition that allows to 
compute bisimilarity and redundancy at the same time. 

Definition 7. An irredundant bisimulation is a symmetric rela- 
tion TZ on configurations s.t. whenever (71, 72) € TZ: 

(i) if 71 4-c then 72 U, 

(ii) if 71 -^-> j[ is irredundant in TZ then 37 2 s.t. 72 72 and 
(71,70 €TZ. 

71 and 72 are irredundant bisimilar (71 ~r 72), if there exists an 
irredundant bisimulation TZ s.t. (71,72) 6 TZ. 



(RD> 
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Theorem 1. ~j= 
Proof. See|2). 
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4. PARTITION REFINEMENT FOR CCP 

Recall that we mentioned in Sec. [2]that checking ~ s f, seems hard 
because of the quantification over all possible constraints. How- 
ever, by using Theo. Q]we shall introduce an algorithm for checking 
~s6 by employing the notion of irredundant bisimulation. 

The first novelty w.r.t. the standard partition refinement (Alg. [TJ 
consists in using barbs. Since configurations satisfying different 
barbs are surely different, we can safely start with a partition that 
equates all and only those states satisfying the same barbs. Note 
that two configurations satisfy the same barbs iff they have the same 
store. Thus, we take as initial partition V° = {IS^ } . . . {IS^ n }, 
where ISj. is the subset of the configurations of IS* with store di. 

Another difference is that instead of using the function F of Alg. 
Q] we refine the partitions by employing the function IR defined as 
follows: for all partitions V, 71 IR.('P) 72 iff 

• if 71 — > 71 is irredundant in V, then there exists 72 s.t. 
72 72 and j[ P-y' 2 . 

It is now important to observe that in the computation of IR('P rl ), 
there might be involved also states that are not reachable from the 
initial states IS. For instance, consider the LTSs of (S, true) and 
{R + S, true) in Fig. [T] The state (P, z < 5) is not reachable but is 

needed to check if (R + S, true) ^1 (P + Q,z < 5} is redundant 
(look at the example after Def . [6). 

For this reason, we have also to change the initialization step of 
our algorithm, by including in the set IS* all the states that are 
needed to check redundancy. This is done, by using the following 
closure rules. 
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7 e is 
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72 e IS* 



73 e is* 

The rule (RD) adds all the states that are needed to check redun- 
dancy. Indeed, if 7 can perform both — h 71 and 72 s.t. 
7 — h 71 ho 7 —^f 73, then 7 — h 72 would be redundant 
whenever 72 ~ s6 73- 

Algorithm 2 CCP-Partition-Ref inement (IS) 
Initialization 

1. Compute IS* with the rules (IS), (RS) and (RD), 

2. V° := {IS* dl }...{IS* d J, 
Iteration V n+1 := lR(V n ) 

Termination If V n = P n+1 then return V n . 

Fig. |2 shows the partitions computed by the algorithm with ini- 
tial states (R' + S, true), (S, true) and (R + S, true). Note that, 
as expected, in the final partition (R + S, true) and {S, true) be- 
long to the same block, while (R' + S, true) belong to a differ- 
ent one (meaning that the former two are saturated bisimilar, while 
(R' + S, true) is different). In the initial partition all states with the 
same store are equated. In V , the blocks are split by considering 
the outgoing transitions: all the final states are distinguished (since 
they cannot perform any transitions) and (T', z < 5 U x < 5) is 
distinguished from (T, z < 5 U x < 5). All the other blocks are 
not divided, since all the transitions with label x < 5 are redundant 
inP° (since (P, z < 5)T°(P + Q',z < 5), (P, z < 5)V°(P + Q, 
z < 5) and (T', z<5UK 5)P°(T, 2<5UK 5)). Then, 
in V 2 , {P + Q',z < 5) is distinguished from {P, z < 5) since 

the transition (P + Q' , z < 5) ^+ is not redundant anymore in 
P 1 (since (T r , z < 5 U x < 5) and (T, 2 < 5 U x < 5) belong 
to different blocks in V 1 ). Then in V' i , (R' + S,true) is distin- 
guished from {S, true) since the transition (R' + S, true) ^> is 
not redundant in V 2 (since (P + Q',z < 5) f 2 (P, z < 5)). Fi- 
nally, the algorithm computes V 4 that is equal to V 3 and return it. 

It is interesting to observe that the transition (R + S, true) ^—r 
is redundant in all the partitions computed by the algorithm (and 

thus in ~ s (,), while the transition (7?' + 5*, true) ^1 is considered 
redundant in P° and P 1 and not redundant in P 2 and P 3 . 

4.1 Termination 

Note that any iteration splits blocks and never fuse them. For this 
reason if IS* is finite, the algorithm terminates in at most \IS*\ 
iterations. The proof of the next proposition assumes that \~d is de- 
cidable. However, as we shall prove in the next section, the decid- 
ability of ho follows from our assumption about the decidability 
of the ordering relation C of the underlying constraint system and 
Theo. [3]in the next section. 



Proposition 2. If IS* is finite, then the algorithm terminates and 
the resulting partition coincides with ~ s f,. 

Proof. See Q. □ 

We now prove that if the set Conf ig(JS) of all configurations 
reachable from IS (through the LTS generated by the rules in Tab. 
[2} is finite, then IS* is finite. 

This condition can be easily guaranteed by imposing some syn- 
tactic restrictions on ccp terms, like for instance, by excluding ei- 
ther the procedure call or the hiding operator. 

Theorem 2. If Conf ig(IS) is finite, then IS* is finite. 

Proof. See|2). □ 

4.2 Complexity of the Implementation 

Here we give asymptotic bounds for the execution time of Alg. 
[2] We assume that the reader is familiar with the 0(.) notation for 
asymptotic upper bounds in analysis of algorithms-see [6|. 

Our implementation of Alg. [2] is a variant of the original parti- 
tion refinement algorithm in 1 10 1 with two main differences: The 
computation of IS* according to rules (IS), (RS) and (RD) (line 2, 
Alg. |2) and the decision procedure for h d (Def . |5j needed in the 
redundancy checks. 

Recall that we assume IZ to be decidable. Notice that require- 
ment of having some e that satisfies both conditions (i) and (ii) in 
Def. [5] suggests that deciding whether two given transitions belong 
to \~d may be costly. The following theorem, however, provides a 
simpler characterization of \~d allowing us to reduce the decision 
problem of \~d to that of C. 

Theorem 3. (P,c) (Pi,c') h D (P,c) -A (Pi,c") iff the 
following conditions hold: (a) a C P (b) c" = c' U /3 

Proof. See j2|. □ 

Henceforth we shall assume that given a constraint system C, the 
function /c represents the time complexity of deciding (whether 
two given constraints are in) C. The following is a useful corollary 
of the above theorem. 

Corollary 1. Given two transitions t and t! , deciding whether 
t h c t' takes 0(/c) time. 

Remark 2. We introduced as in Def. [5]as natural adaptation 
of the corresponding notion in (5J. The simpler characterization 
given by the above theorem is due to particular properties of ccp 
transitions, in particular monotonicity of the store, and hence it may 
not hold in a more general scenario. 

Complexity. The size of the set 75" is central to the complexity 
of Alg. [2] and depends on topology of the underlying transition 
graph. For tree-like topologies, a typical representation of many 
transition graphs, one can show by using a simple combinatorial 
argument that the size of IS* is quadratic w.r.t. the size of the set of 
reachable configurations from IS, i.e., Conf ig(/S). For arbitrary 
graphs, however, the size of IS* may be exponential in the number 
of transitions between the states of Conf ig (IS) as shown by the 
following construction. 

Definition 8. Let P° = and P 1 = P. Given an even number 
n, define s n (n, 0) = 0, s n (n, 1) = ask (true) — >• s„(n, 0) and 
for each < i < n A < j < 1 let s n (i,j) = (ask (true) — > 
s»(ij®l) im + (ask(6 i ,j) -» 0) + (ask (en) -> s n (i + l, 
j)) where © means addition modulo 2. We also assume that (1) for 
each i,j : dj C 6jj and (2) for each two different i and i' : at % 

, and (3) for each two different (i,j) and (i',j'): bij % 6»' 3 4 '. 



Let IS — {s„(0, 0)}. One can verify that the size of IS* is in- 
deed exponential in the number of transitions between the states of 
Config(75'). 

Since Alg. [2] computes IS* the above construction shows that 
on some inputs Alg. |2]take at least exponential time. We conclude 
by stating an upper-bound on the execution time of Alg. [2] 

Theorem 4. Let n be the size of the set of states Conf ig(J5) 
and let m be the number of transitions between those states. Then 
n x 2° (m) x fc is an upper bound for the running time of Alg. [2] 

Proof. See [2|. □ 

5. CONCLUDING REMARKS 

In this paper we provided an algorithm for verifying (strong) 
bisimilarity for ccp by building upon the work in [5 |. Weak bisimi- 
larity is the variant obtained by ignoring, as much as possible, silent 
transitions (transitions labelled with true in the ccp case). Neither 
(5) nor the present work deal with this weak variant. We therefore 
plan to provide an algorithm for this central equivalence in future 
work. 

6. REFERENCES 

[1] A. Aristizabal, F. Bonchi, C. Palamidessi, L. Pino, and F. D. 

Valencia. Deriving labels and bisimilarity for concurrent 

constraint programming. In FOSSACS, pages 138-152, 201 1. 
[2] A. Aristizabal, F. Bonchi, L. Pino, and F. Valencia. Partition 

refinement for bisimilarity in ccp (extended version). 

Technical report, INRIA-CNRS, 2012. Available at: 

http://www.lix.polytechnique.fr/~andresaristi/sac2012.pdf 
[3] F. Bonchi, F. Gadducci, and G. V. Monreale. Reactive 

systems, barbed semantics, and the mobile ambients. In 

FOSSACS, pages 272-287, 2009. 
[4] F. Bonchi, B. Konig, and U. Montanari. Saturated semantics 

for reactive systems. In LICS, pages 69-80, 2006. 
[5] F. Bonchi and U. Montanari. Minimization algorithm for 

symbolic bisimilarity. In ESOP, pages 267-284, 2009. 
[6] T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein. 

Introduction to Algorithms (3. ed.). MIT Press, 2009. 
[7] F. S. de Boer, A. D. Pierro, and C. Palamidessi. 

Nondeterminism and infinite computations in constraint 

programming. Theor. Comput. Sci., 151(l):37-78, 1995. 
[8] J.-C. Fernandez. An implementation of an efficient algorithm 

for bisimulation equivalence. Sci. Comput. Program., 

13(l):219-236, 1989. 
[9] G. Ferrari, S. Gnesi, U. Montanari, M. Pistore, and 

G. Ristori. Verifying mobile processes in the hal 

environment. In CAV, pages 511-515, 1998. 
[10] P. C. Kanellakis and S. A. Smolka. Ccs expressions, finite 

state processes, and three problems of equivalence. In 

PODC, pages 228-240, 1983. 
[11] R. Milner and D. Sangiorgi. Barbed bisimulation. In ICALP, 

pages 685-695, 1992. 
[12] U. Montanari and V. Sassone. Dynamic congruence vs. 

progressing bisimulation for ccs. FI, 1 6( 1): 1 7 1—1 99, 1992. 
[13] V. A. Saraswat and M. C. Rinard. Concurrent constraint 

programming. In POPL, pages 232-245, 1990. 
[14] V. A. Saraswat, M. C. Rinard, and P. Panangaden. Semantic 

foundations of concurrent constraint programming. In POPL, 

pages 333-352, 1991. 
[15] B. Victor and F. Moller. The mobility workbench - a tool for 

the pi-calculus. In CAV, pages 428^40, 1994. 



